Misc

Sending Mixed Signals – What Can Happen in the Course of Vulnerability Disclosure

Update:

Given there’s quite some speculation and, as we think, misinformation going around we think it’s helpful to add/clarify the following information:

  • we fully comply with the injunction and we have no intentions to violate it. we do not plan to publish any technical information besides the report (agreed upon with FireEye themselves) and the slides (based on the former) anyway. No 3rd parties except for the ones involved (FireEye, lawyers) have received any additional technical information from our side, let alone an earlier version of the report.
  • the injunction covers accompanying details mostly within the architecture space, but not the core vulnerabilities themselves. Those are not part of the injunction.
  • we stand by the timeline as provided below. In particular, the following two points:
    – FireEye received a draft version of the report which had the objectionable material (as identified by the cease and desist letter) fully removed on August 11th.
    – according to the cease and desist letter FireEye’s lawyer sent us, they were informed – from our side – about the planned talk at 44CON on Jul 23rd.
  • there’s an injunction, but not a lawsuit. I used the term “sue” after consulting Merriam-Webster which states: “sue: to seek justice or right from (a person) by legal process”, but this might have been misinterpreted by some readers. As stated, there’s a pending injunction, but not a lawsuit.

Please note that we won’t share legal documents with 3rd parties or publish them as we consider this inappropriate.
Please note further that, during the whole process, our goal was to perform a responsible disclosure procedure with its inherent objectives (namely vulnerability remediation by vendor and education of various stakeholders involved, see also here or here). We consider this disclosure process as concluded. We don’t see a need to add technical details from our side as we feel that the objectives of responsible disclosure are met (not least as patches are released since quite some time and both vendor & finder have released reports).

===

We’ve just released an ERNW Newsletter titled “Playing With Fire: Attacking the FireEye MPS” which describes several (meanwhile patched) vulnerabilities in FireEye‘s “Malware Protection System” (webMPS) version 7.5.1. Right now Felix gives a talk at 44CON in London on the topic, including some demos. He will release the slides after the talk => to catch the respective announcement you might follow him on Twitter (which is probably a good idea anyway if you’re interested in vulnerability research).

From a technical perspective all is said in those two documents and we won’t add anything, not least due to the pending injunction which we take very seriously and which we strictly adhere to. It should also be noted that the newsletter document in its current form is the result of a thorough review process performed jointly by FireEye and us, which means it can be considered approved from both parties.

Still I’d like to add some personal notes here, namely as for the ongoing vulnerability disclosure debate and with regard to the pending legal proceedings.
I would be really happy if our case contributes to evolving the understanding, procedures and maturity of vulnerability disclosure in certain circles. If nothing else it would then have been worth the effort and energy spent so far on all this.

When I wrote this piece on vulnerability disclosure some weeks ago I did not expect “anything huge” to happen for us in legal space soon, for the simple reason that ERNW’s (and my own) general approach to life usually includes resolving disputes by sitting down together and talking.
Actually during 10 years of disclosing vulnerabilities to many large vendors there was only one single case where “legal got involved” (not even from a vendor, but from a 3rd party in a complex political setting) and that one could be resolved – in our favour – within two hours, by phone calls.

So what went differently this time?

As you can see from the timeline in the slides we initially tried to reach out to FireEye in early April. Once a communication channel could be established some weeks later, a number of conference calls took place and at some point (end of June) we provided a draft version of the document we were planning to release (after a 90 days’ disclosure period).

From FireEye’s perspective this document contained way too many technical details about the inner workings of MPS and they argued that exposing such a level of detail wasn’t needed for a description of the vulnerabilities themselves and, more importantly, that this would provide knowledge to bad actors. We, on the other hand, were of the opinion that some level of contextual detail would be necessary to understand the nature of the vulnerabilities which in turn would subsequently serve the objective of education that is inherent to any responsible disclosure process.
Still we removed stuff from that document at several occasions during this phase. In addition, FireEye asked us to postpone the publication several times in order to reach a better coverage of upgraded systems in the field as patches for the main vulnerabilities were already available since the end of June (which, as I may note, we considered impressively fast from their side!). We always complied with that request.

In late July they suggested to meet face to face, presumably in Heidelberg. We replied that we would be in Las Vegas shortly thereafter anyway and we could meet at that occasion as this would probably facilitate logistics. No sooner said than done and we met on August 5th in LV (overall seven people, four guys from FireEye and Matthias, Felix and myself). We went through the document draft, section by section, and discussed wordings and (level of) technical details. All three of us had the strong impression that a preliminary consensus was reached during that meeting, and a number of hands were shaken at parting. We think it was agreed upon that we would send the next, mostly final iteration in the following week.

Less than 24 hours later we received an extensive cease-and-desist letter stating a number of accusations and demands, mainly in the realm of intellectual property protection (note that – as can be seen from the jointly approved document mentioned above – we are possibly allowed to discuss core technical details of the vulnerabilities themselves, but not accompanying stuff which would provide context, which evidently is a quite blurred line of demarcation).
It was requested to sign the associated confession by Monday 10th which was roughly one working day after receipt of the letter (btw, everybody involved knew we were abroad in a 9h difference time zone, with holidays planned after Black Hat). Furthermore, the latter explicitly stated “that no consensus was reached on Aug 5th”. Apparently we lived on a different planet…
Let me state here that we fully understand FireEye’s desire to protect their intellectual property and of course we adhere to the respective laws. It’s just: we never had the intention to violate that anyway, and we had abided by (both virtual and physical) handshake several times that nothing would be published without mutual agreement. We thought we were on the same track.

I called our lawyer and he replied to their lawyer that we would respond to that letter by Aug 17th (as time would be needed to go through the whole thing and to prepare a proper statement). Without even waiting for that response FireEye further escalated and reached out to a district court to get an injunction issued on Aug 13th (while, in the interim, on Aug 11th we had sent another draft with everything removed as of the cease-and-desist letter). We got that injunction delivered to us on Sep 2nd which is just eight days ago from today.

We can only speculate what the intentions are from their side. In any case I’d like to express my firm conviction that

  • in general we consider it an inappropriate strategy to sue researchers responsibly reporting security vulnerabilities (for the protocol: without asking for money or anything else).
  • even more so once there’s a (at least from our perspective) good relationship on the level of the people actually working together. I mean you guys had our handshake (in Vegas) that we wouldn’t release anything without your approval.

I’d like to make clear that we met reasonable and, so we think, honest people from FireEye in the course of the procedure (you know who you are). But I can’t hide that we are very disappointed from the course of action some people within the organization considered the right way of dealing with the situation. I don’t think it’s appropriate in this specific case, I don’t think it’s appropriate in the vast majority of other cases of responsible disclosure and I think it eventually sends the wrong signal to the research community.